Clast82: new malware found on the Google Play Store

Clast82, this is the name given to the new malware discovered by Check Point in nine Utility apps on the Google Play Store

Check Point Research, the Threat Intelligence division of Check Point Software Technologies Ltd., discovered a new dropper – a program designed to spread malware to a victim’s phone – within 9 utility apps on the Google Play Store. Dubbed “Clast82” by researchers, the dropper bypassed the store’s protections to activate a second malware that gave the hacker access to the victims’ financial accounts, as well as control of their smartphones.

How Clast works82

Clast82 releases AlienBot Banker malware-as-a-service, a second-stage malware that targets financial apps by bypassing two-factor authentication codes for such services. At the same time, Clast82 is equipped with a mobile remote access trojan (MRAT) capable of controlling the device with TeamViewer, making the hacker the real owner without the victim’s knowledge.

Check Point outlined Clast82’s method of attack as follows:

• The victim downloads a malicious utility app from Google Play, containing the Clast82 dropper
• Clast82 communicates with the C&C server to receive the configuration
• Clast82 downloads the payload received from the configuration and installs it on the Android device – in this case, the AlienBot Banker
• The hacker gains access to the victim’s financial credentials and proceeds to check the victim’s smartphone in full
• An alteration of third party resources to hide from Google

Clast82 uses a number of techniques to evade Google Play Protect detection. In particular, Clast82:

• It uses Firebase (owned by Google) as a platform for C&C communication.
• While evaluating Clast82 on Google Play, the hacker changed the configuration of commands and controls using Firebase. He then “disabled” Clast82’s malicious behavior during Google’s analysis.
• Use GitHub as a third-party hosting platform to download the payload from.

For each app, the attacker has created a new developer user for the Google Play Store, along with a repository on the actor’s GitHub account, thus allowing different payloads to be distributed to devices that have been infected with each malicious app.

The 9 utility applications involved

The hacker used legitimate and well-known open-source Android apps. Here is the list:

• Cake VPN
• Pacific VPN
• eVPN
• BeatPlayer
• QR/Barcode Scanner MAX
• eVPN
• Music Player
• tooltipnatorlibrary
• QRecorder

Responsible communication

CPR communicated its findings to Google on January 28, 2021. On February 9, Google has confirmed that all Clast82 apps have been removed from the Google Play Store.

Aviran Hazum, Check Point’s Manager of Mobile Research, said:

The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but worrying methodology. With a simple manipulation of easily found third-party resources – such as a GitHub account, or a FireBase account – the hacker was able to leverage available resources to bypass Google Play Store protections. The victims thought they were downloading a harmless utility app from the official Android store, but instead it was a dangerous Trojan targeting their financial accounts. The dropper’s ability to remain undetected demonstrates the importance of why a mobile security solution is needed. It is not enough to scan the app during analysis, as an attacker can, and will, change the behavior of the app using third-party tools.